I wanted to highlight something that I find funny did not make a much
bigger impact: DARPA's release of former INFILTRATE keynoter Bill Arbaugh's
dataset of endpoint behavioral data. See here for more information:
How else are you supposed to test if your Endpoint Protection DEEEEEEP
LEARNING works or does not work, as advertised? My only complaints are:
This is not as much data as I would want. You really do want at least a
couple months of data. Everyone annoy DARPA about that. :)
I don't speak for Immunity anymore, but it IS good to see those who do
speak for Trail of Bits making themselves heard:
When I want to code something from scratch, I will often look for
libraries that help me achieve it best regardless of language they are
written - for common situations Python has a good ecosystem (but web
interfaces don't look so great there anymore), if it's enterprise-y, most
likely Java (which I'll use via Jython if I can help it), if it's
Windows-ish - C# with WinApi calls. Weirdly RubyDNS/EventMachine is good
for quick DNS shenanigans. I do this because I don't have an infinite
amount of time to re-implement something in my *langage du jour*.
Same holds true for people moving code for hacking operations. If an
operator wants to search for specific data on a computer, I'm probably best
off using Windows Search API and the easiest way to invoke it is via
- about 20 lines of code seems to do it. I looked at my code for
selectively exfiltrating Outlook mailbox contents and discovered it was a
bit of OLE Interop code (again - PowerShell, but I concede that C# would be
pretty close line-wise). We could of course bring OpenDLP package or ntfs
raw copy the entire .ost, but that seems to be heavyweight. A parallel
exists for EDRs as well - EDRs like to rely on cool Win8.1+ features and
tell customers to upgrade their XP/7 and Win2k3 boxes or not have latest
features - they don't want to re-implement same stuff 3 times and could you
please have our .NET to 4+ kthx bye. (this is also why network traffic
recorders are useful).
You can see right now the fad for POC implants has moved away from C to C#
to Golang, because all of this makes programmers more productive. as you're
paid for operations not tool fetish, why write it in C? Sometimes doing
stuff in non-C is harder. Over the last 2 months there's been an explosion
of API unhooking articles thanks to great work by F-Secure (ex MWR)
and so to keep up with the Joneses any decent toolkit needs now the ability
to manipulate loaded libraries which perhaps excludes some choice of
languages (I'm not quite sure how to achieve this in PS).
Other code economics matter as well. When you're in shellcode territory,
the crawl space is small. Once you're in "bootstrap" territory, you have
more space (e.g. your Office macro that downloads the kit can be fairly
meaty) and you have options to hunt for eggs (e.g. retrieve a hidden
attachment from Outlook in which your macro came in). Once you're in the "I
can run an exe/dll here" territory, 20 megs is nothing. In one report I
read, hackers downloaded and installed VirtualBox to run their toolkit. I
think Dave's INNUENDO ran to 40 megs. Once they were done, it was a matter
of shutting down the encrypted VM - good luck with forensics.
Applied IT sorcery.
I've moved to a part time contract with AppGate and I'm focused largely on
INFILTRATE now, which gives me some time to attend cyber policy briefings.
Most cyber policy briefings are the same 200 people, and they tend to be
held under Chatham House rules, which means they are not recorded and you
can't quote anyone directly. I'm not sure why, since getting someone in
Cyber Policy to say anything controversial is as impossible as getting them
to think about any kind of change that doesn't involve giving more money to
CISA, for some reason.
As part of prepping for INFILTRATE, like many of you, I've been attending a
suite of online security conferences, from SANS (Zoom+Slack), to Summercon
(Youtube), to Matt Suiche's OPCODE <https://www.opcde.com/opcdex/> (Youtube)
to today's ACM Program Analysis conference
<https://www.youtube.com/watch?v=81V2ifmW-4c> (Youtube), still going on !
That program analysis conference is AMAZING btw. The first talk, by Peter
O'Hearn <https://en.wikipedia.org/wiki/Peter_O%27Hearn> is on point, as he
starts off with some high level lessons learned trying to transfer his
academic work on static analysis into Facebook's efforts, then three
quarters of the way through dives like a pelican into the depths of
concurrency analytics theory. He talks about what worked and what didn't
work and how to scale.... and I dunno how to explain it. It's just a
nuclear sub of a talk, rising from the icy sea with advanced technology and
INFILTRATE is not going to be a purely virtual conference. A lot of what
you do at a good conference is have conversations you can't have over a
Chinese teleconference system, sometimes with a beverage of choice. We're
going to have a hybrid conference - there's some amazing things about
virtual conferences but they're not everything, as I'm sure you're aware.
I've also had time to try to catch up with the exploit firehose. This bug
in particular - an integer overflow in Variant processing in the core
feature of Windows. That would have been an amazing 0day to have. Or maybe
not? It's hard to know without writing the exploit, looking at the target
space, testing a lot of things. Recently one of the people in a policy
conference asked "What is it that makes a government different anyways?"
And the answer, of course, is vertical integration. When you find an 0day,
it's hard to know anything about it other than it gets you a shell! And
there's so much to know - much of which you want to talk about over fried
alligator with music just loud enough to keep recording devices guessing.